Hi @scott.dudley , thanks for checking in! I’ve been taking over this piece of work from @MateuszMiodek and will share an update in the coming weeks on the list of libraries we’re looking to remove. The plan is to keep the partner community posted whenever we have a list, even if it’s not the final one.
That said, here are some of the libraries we’re considering for removal - it’s not set in stone yet, but it’s an initial pass on the main Java packages we’re aiming to get rid of long with some reasons behind it. :
- com.google.common (guava): Our preference lies in leveraging Java replacements to streamline our dependencies.
- com.google.inject - google.inject is not used in a wholistic way in all our products and is sparsely used
- com.rometools: We perceive limited value in managing and sustaining this particular library.
- com.sun.jersey: This component is antiquated and no longer maintained.
- org.apache.commons.digester
- org.codehaus: Similarly outdated and lacking maintenance.
- org.dom4j: Utilized within a specialized context, to be replaced by our proprietary code.
- org.joda.time: Java offers a native substitute. We aim to simplify our dependencies.
- com.opensymphony.module.propertyset
- com.opensymphony.module.sitemesh
- com.opensymphony.sitemesh
- org.apache.commons.lang
- org.apache.commons.pool
- org.apache.log4j
- org.jdom
- org.tuckey.web.filters.urlrewrite
Reiterating an earlier point from the RFC, our initiative involves reducing dependencies to fortify our security posture.
As I understand, the purpose of these alerts is to provide advance notice of forthcoming changes, affording vendors sufficient time to prepare. I can guarantee that there will be no removal of packages until the release of the next major versions of each of the products- such Jira 10, Bitbucket 9 ,Confluence 9 in this case . Any removals will be specifically carried out in conjunction with a major release and will be preceded by advance communication.
Regarding your other questions
Should we expect the current code to already contain the full and authoritative source of what will eventually be removed, or should we depend on the list that you are going to provide here on CDAC?
Currently, we’re informing partners about the modifications in the public API of shared components used in our various products. We’re collaborating with the product teams to create a comprehensive list of changes to the libraries in different releases. However, it’s important to stay updated by checking the release notes for each specific product (like Jira, Confluence, etc.) to understand any specific tweaks they might introduce.
Perhaps someone could also look into fixing the tooling?
We apologize for the inconvenience caused. You’re correct in pointing out that we need to update the tooling (AMPS) to align with the anticipated changes in dependencies. As a temporary fix, you can add those dependencies to the exclude list. More details here - More Info on AMPS Banned Plugin Dependency - #6 by aswan
Why is there no mention of this in the “Preparing for Confluence 8.7” documentation? Are these new warnings intended to be seen by vendors in this release?
Once more, sorry for the inconvenience. As previously stated, we’re actively working with the product teams to compile an extensive list of changes to the libraries across various releases. We’ll share this list in the upcoming weeks. For now, here’s a preliminary list of libraries that will be deprecated in Confluence versions 8.7 to 8.9. Rest assured, we’ll continue to keep the community informed as we gather more specific details.
- com.addonengine.*
- com.atlassian.activeobjects.confluence.*
- com.atlassian.config.util.*
- com.atlassian.confluence.ext.code.*
- com.atlassian.confluence.extra.webdav.*
- com.atlassian.confluence.importexport.*
- com.atlassian.confluence.notifications.batch.*
- com.atlassian.confluence.plugins.collaborative.content.feedback.*
- com.atlassian.confluence.plugins.content_report
- com.atlassian.confluence.plugins.edgeindex.*
- com.atlassian.confluence.plugins.gadgets.refimpl
- com.atlassian.confluence.plugins.jirareports
- com.atlassian.confluence.plugins.hipchat.*
- com.atlassian.confluence.plugins.mobile.analytic
- com.atlassian.confluence.plugins.remotepageview.jwt
- com.atlassian.confluence.plugins.rest.*
- com.atlassian.confluence.plugins.softwareproject
- com.atlassian.confluence.plugins.soy.*
- com.atlassian.confluence.upgrade.*
- com.atlassian.confluence.userstatus.*
- com.atlassian.confluence.vcache.*
- com.atlassian.confluence.velocity.*
- com.atlassian.confluence.warming
- com.atlassian.crowd.embedded.*
- com.atlassian.db.*
- com.atlassian.dragonfly.*
- com.atlassian.fugue.*
- com.atlassian.h2.*
- com.atlassian.favicon.*
- com.atlassian.hazelcast.*
- com.atlassian.hsqldb.*
- com.atlassian.json.*
- com.atlassian.migration.agent.*
- com.atlassian.plugins.roadmap.upgradetask
- com.atlassian.mywork.*
- com.atlassian.plugin.notifications.spi
- com.atlassian.sal.confluence.*
- com.atlassian.threadlocal.*
- com.atlassian.util.concurrent.*
- com.atlassian.velocity
- com.ctc.wstx.*
- com.google.common.*
- com.google.gson.*
- com.ibm.wsdl.*
- org.joda.time.*
- com.octo.captcha.*
- com.opensymphony.ejb.*
- com.opensymphony.module.*
- com.opensymphony.oscache.*
- com.opensymphony.provider.*
- com.opensymphony.sitemesh.*
- com.opensymphony.util.*
- com.rometools.*
- com.sun.imageio.*
- com.sun.media.*
- com.sun.syndication.*
- graphql.schema.*
- io.atlassian.fugue.*
- javax.json.*
- javax.jws.*
- javax.xml.messaging.*
- javax.xml.rpc.*
- javax.xml.soap.*
- net.sf.cglib.*
- org.antlr.*
- org.aopalliance.*
- org.apache.axis.*
- org.apache.batik.*
- org.apache.bcel.*
- org.apache.commons.*
- org.apache.el.*
- org.apache.felix.*
- org.apache.fontbox.*
- org.apache.html.*
- org.apache.http.*
- org.apache.jackrabbit.*
- org.apache.oro.*
- org.apache.pdfbox.*
- org.apache.regexp
- org.apache.tools.*
- org.apache.wml.*
- org.apache.xalan.*
- org.apache.xerces.*
- org.apache.xml.*
- org.apache.xmlcommons.*
- org.apache.xmlgraphics.*
- org.apache.xmlrpc.*
- org.apache.xmpbox.*
- org.apache.xpath.*
- org.bouncycastle.*
- org.cyberneko.html.*
- org.dataloader.*
- org.eclipse.gemini.*
- org.hibernate.validator.*
- org.ietf.*
- org.j3d.*
- org.jdom.*
- org.jdom2.*
- org.json.*
- org.jsoup.*
- org.slf4j.bridge.*
- org.slf4j.impl.*
Thanks,
Malathi Vangalapati